This is a tutorial on Setting up Secure Shell on Cisco routers and switches. Previously we talked about how to set Telnet access to Cisco Routers and Switches.SSH is an OpenSSH SSH client used as a remote login program. It is a program for logging into a remote machine and for executing a variety of commands on a remote device. It’s a successor to Telnet and was developed with security of user data in mind.
SSH uses TCP port 22 by default to connect to a remote device.It’s intended to replace rlogin, rsh and to provide secure encrypted communications between two untrusted hosts over an insecure network. The user must prove his identity to a remote machine before he can be allowed to connect.
Secure shell uses encrypted keys to send data hence sensitive information like username and password are protected from an eavesdropper.
List of commands used for ssh on Cisco Routers and Switches 
ip domain-name: Used to set domain name
crypto key generate rsa general-keys modulus : Used to generate encryption keys to be used for establishing a secure session between devices.
ip ssh time-out: Used to set maximum idler time for SSH session.
ip ssh authentication-retries: Used to set maximum number of failed login attempts for a SSH connection.
line vty : Used to choose VTY lines to configure
transport input ssh telnet: Tells the router to use ssh and then Telnet if ssh is not configured. SSH is given top priority.
We’ll use the same topology shown below that we used for Telnet Lab.
screenshot 1

Steps to follow  
We’ll setup R1 as ssh client and R2 as our ssh server.
R1 configurations 
 Login local means any inbound connection trying to come in on the VTY lines, the router prompt for username and the password to validate users. We then added a user adminand gave him a password password!123. Using secret keyword encrypts the password in the configuration. transport input ssh command is used to restrict access to VTY lines to ssh. By default, both telnet and ssh are allowed on VTY lines.
Setting IP address information, hostname and domain name.
Generating RSA Keys
Note: To generate public key pair, domain name must be specified. For RSA keys, we’ll specify modulus of 1024 bits. Remember, the bigger the bit size, the tighter the security.

# config terminal
# crypto key generate rsa modulus 1024

Now it’s time to connect to R2 using R1 as ssh client.The command to do this is ssh -l username ip-address. In our topology we’ll enter the following command on privileged mode on R1 terminal.

R1# ssh -l admin

Enter the password and you’re good to go.
Confirm that you are connected by using

R2# show tcp brief

To close ssh session, just type exit.
 If you don’t have GNS3 and don’t have access to real Gear, check out our tutorial on Installing GNS3 1.2.x on Ubuntu and Linux Mint and Installing GNS3 1.2.x on Kali Linux 
If you want to assure yourself that SSH do encrypt data streams, right click on the wire connecting two routers if you are on GNS3, then capture the traffic and follow TCP stream.

How to Install Opera Mini updated in Debian, Kali and Ubuntu 

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here